Use DH parameters from OpenSSL and remove support for ephemeral RSA

This adds support for DH parameters from 1024 to 8192 bits.

1 files changed, 0 insertions, 8 deletions

diff --git a/README.starttls b/README.starttls
index 0286632..07ee275 100644
--- a/README.starttls
+++ b/README.starttls
@@ -30,12 +30,6 @@ Optional: - when DEBUG is defined, some extra TLS info will be logged
             /var/qmail/control/clientcert.pem. By preference this is
             the same as servercert.pem, where nsCertType should be 
             == server,client or be a generic certificate (no usage specified). 
-          - when a 512 bit RSA key is provided in /var/qmail/control/rsa512.pem,
-            this key will be used instead of (slow) on-the-fly generation by
-            qmail-smtpd. Idem for 512 and 1024 DH params in control/dh512.pem
-            and control/dh1024.pem. `make tmprsadh` does this.
-            Periodical replacement can be done by crontab:
-            01 01 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
           - server authentication:
             qmail-remote requires authentication from servers for which
             /var/qmail/control/tlshosts/host.dom.ain.pem exists.
@@ -86,8 +80,6 @@ Caveats: - do a `make clean` after patching
            will fail. This error can be ignored. Packagers should
            cut the first 12 lines of this patch to make a happy
            patch
-         - `make tmprsadh` is recommended (or should I say required), 
-           otherwise DH generation can be unpredictably slow
          - some need "-I/usr/kerberos/include" to be added in conf-cc
 
 Copyright: GPL